Transcribed by ESO, translated by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
Transcribed by —
general. Don't tomato me, guys. Okay, so why do you need security? Very quickly. Sometimes
you're targeted by really good guys. RFP rooted my box once. No, he didn't. But if he had,
he might have done it because he was going after some bank and he wanted to make it look
like I was going after the bank because then I'd get in trouble. You're also targeted by
script kitties. You're also targeted by other hackers called script kitties. And I've met a
couple of them here and there. Nobody here, though. And you get targeted by them, and that's
what most of us are dealing with. We're getting targeted by script kitties because some script
kitty found an exploit against whatever, RPC stat D. And they've got a scanner that goes and
looks for people with that exploit. And then they go and scan, like, oh, I don't know, the
entirety of at home. I didn't watch that happen.
Yeah, so a lot of us forget. We kind of say, ah, I don't need to worry about getting hacked
because I'm not interesting. And the thing is, you are interesting. You are interesting because
you have an IP address. You put your box on the Internet 20 minutes ago and they found you. You
got picked up by a scanner and now they come in for you. So what is Bastille doing in general,
in theory? We're trying to... Damn, if those screens fall, I'm running.
What's that? Yeah, I'm safest here. Okay. It works by minimizing points of entry in general.
Okay, we try to shut down network demons. For the network demons that you want to leave up, we
try to restrict who can use them. Like a lot of these things, especially like web servers will do
it, you know, you can say exactly what IP addresses, what interfaces they're allowed to accept
connections on. This can be amazingly useful. Lots of people don't need a web server. They just want a
web server on their one machine because they're like writing up web pages or CGI scripts and they
want to test them before they push them out to the main server. So if you're one of those people,
what we'll do is we'll say, okay, we'll set your Apache to only accept connections from your box,
which works pretty well. As far as points of entry, we also try to restrict access to
used or accessible programs, okay? We try to do things like, my users are logging in across an
ocean, so maybe they don't need to be able to mount the floppy drive, which makes it harder to connect.
which means I can, like, shut down mount.
I can take mount and make it non-set UID,
and that'd be good,
because then I'd avoid one of the exploits
in the past year or two.
Okay, we're also trying to prevent privilege escalation.
Okay, what happens sometimes is somebody hacks the web server.
The web server gives them user whatever, user web.
And then from there, they run some set UID program
that gives them user root.
So we want to do anything we can
to stop somebody from turning user web into user root,
because, you know, it's a good idea.
You all having fun?
Is this good?
Cool.
Make some noise!
No, I'm sorry, I have.
Okay, so, now, does it work?
It does work.
It does work.
It's kind of cool, but it actually, I mean,
I didn't know it was going to work, but it works.
I mean, you know, if you take Red Hat 6.0, okay,
and you take the vulnerabilities that existed in Red Hat 6,
we really helped you dodge or at least contain
the bulk of the exploits, and that was pretty cool.
Okay, there was a remote root hole in Bind.
Okay, we let you shut down Bind,
which, again, would kind of help you dodge that entirely.
And if you didn't want to do that,
Bind used to ship default, still does in some distros,
used to ship default running as root,
and that kind of sucks, because somebody takes over Bind,
some worm takes over Bind.
You don't even get automated by a human.
You get automated by some stupid program.
Okay, so what we do is, you know,
we set Bind to run as user DNS, and we true root it,
which means we lock it into some itty-bitty directory
where, like, you know, if somebody takes over Bind,
if somebody gets a DNS shell,
that shell is restricted to this itty-bitty directory
that's got virtually nothing in it,
and nothing really that Bind owns, that that user owns,
except for one little itty-bitty teensy-weensy PID file.
So that's kind of cool.
We helped a lot of people dodge that,
and that was, like, the scourge
of Red Hat 6.
I mean, the scourge of a lot of other stuff, too.
Woo FTPD had an exploit.
It's always got an exploit.
I guess it's like Bind.
We offered to shut it down for you.
We also offered to shut down anonymous access
or user access or both,
and that was really useful,
because the ad exploit kind of requires
that they actually be able to...
Yeah, the first exploit at least required
that somebody be able to write stuff to your machine,
and...
We try to shut down any kind of access we can.
Again, this is where the educational aspect came in
more than the script aspect.
If we could tell you that FTP sucks,
you know, FTP sucks because it's clear text.
FTP sucks because it's really rough to firewall.
FTP sucks because they're always rooting it, you know.
If we can tell you that FTP sucks,
maybe you'll stop running it,
and then you don't have to worry
about getting nailed by this one.
User Helper was a little-known PAM program,
and there were a couple different exploits against it.
I think Dildog wrote User Rooter.
And then there was another one.
I don't remember what the name of the other exploit was,
but it was really simple to exploit,
because this thing didn't check what directory it was looking in,
so, like, you could have it go back
and use some other file.
It was a pretty cool exploit.
It was local only,
but basically the user could get this root program
when doing...
I think it was when doing authentication
or doing...
to go back and use some library that he created
instead of the normal library.
It was really stupid,
and, again, we helped you dodge it,
because when we did our set UID,
that was just one of the things that, like,
this doesn't...
we don't need this.
So, this was useful.
LPD and SendMail had a remote root.
We shut these down, if you asked us to,
because lots of people don't print from that machine,
or lots of people don't need to send mail from that machine,
or to receive mail.
There were some more.
Dump and Restore.
Dump and Restore was kind of stupid.
I mean, it really ticked me off
when I saw Dump and Restore set UID,
because let's think about it.
Dump and Restore are used for backups, okay?
So, do I have ordinary users
who are running their mail accounts
running my backups?
If I've got someone running my backups,
it should be somebody that I've specifically told
the operating system to trust.
And this is one of those stupid things
that just shouldn't have been set UID.
And, well, we took care of that.
So, again, you didn't get rooted
by the dump exploit or the restore exploit
if you did our set UID audit
and, like, did what we told you to do,
which was kind of cool.
GPM was another one.
They used that to get the mouse cut and paste in console.
Lots of people never used console.
So, again, it was something we could shut down,
and if you shut it down,
you dodged yet another exploit.
Now, that one was a local exploit,
and there are lots of other ways to locally root a box.
So, you know, the merit of this was only so strong,
but it was pretty useful.
Yo, question.
What if they didn't let it stay?
So, the question is,
what if they do want to send and receive mail?
Okay.
You know, what do you do?
Well, the issue is,
some of this can be granularly configured.
Okay.
You know, it's like,
suppose you've got this machine.
I mean, if you're, like,
lots and lots of users are using SMTP
to get mail off the box,
and they're using pop and IMAP
to get mail to their box.
Like, if this workstation you're sitting in front of
doesn't have to be,
you know, it doesn't have to receive mail
and distribute it to users,
then you don't need sendmail running in daemon mode.
You can just, like, shut it down,
and, you know, when you run, like,
Mutt and Pine and all that,
they start up their own sendmail process
to get mail off the box.
You really only need sendmail to get mail to the box,
and that's only if you're using,
if you're trying to run your own mail server.
It turns out that the bulk of the people don't need it,
and so we're able to shut down just what they don't need.
You know, it's like, okay, your mail still works,
just this part doesn't work.
The other issue is, I mean,
a better example is probably Apache.
When we go to hard in Apache,
like, a lot of people want to have a web server,
but they're not ever going to use,
they're not going to put any CGI scripts on.
So we shut down CGI functionality.
We shut down server-side includes.
And that kind of, the granular parts really do help a lot,
and sometimes it's just the education part helps.
Where we can't config,
if we can't configure something really, really finely,
we can educate you on it, and we can pray,
or hope, or whatever,
because we're not doing anything in kernel space.
And if you really wanted to, if you really wanted to,
if you really wanted to protect yourself
from SendMail's next root hole,
it mostly ends up doing,
it mostly means doing something in kernel space,
or cherooting SendMail, or something like that.
So, was that a good answer,
or did I mostly dodge the question?
The asker has passed out from heat exhaustion.
No, he hasn't.
It's all good.
Okay, vulnerabilities we didn't stop in Red Hat 6.
These are just like major,
just like stuff that was well advertised.
NMH, mailer, couldn't do anything for you.
It didn't have privilege.
It only gets privilege if you run it as root.
If you're not running it as root,
then you don't get mailed.
But if root's reading their mail with MH,
or in this case,
if root's using man to read man pages,
you kind of get mailed.
And we didn't really spot that stuff
because it's not a program that had privilege
that we could strip privilege from.
And it's not stuff we could make a good argument
for removing from the system.
So, I mean, especially man, you know?
Like, we want people to read man pages,
not to stop.
So, you possibly got mailed on these.
These are pretty tough to exploit,
so you probably didn't.
But there's not much we can do.
The one point I can make about root is,
try to just use root for what you need root to do.
You know?
I mean, please don't run Netscape as root.
Oh, God, please don't.
You know, I don't know.
Now that she's married to,
now that she's getting married to a RAIN RFP,
maybe Zoopkit and I'll take some time
and try to show why we shouldn't use Netscape as root
and make a whole bunch of exploits
that people get nailed at reading their mail.
Sorry.
Okay.
How many minutes
did I just miss?
Shit.
I'm sorry.
I sound really loud to myself up here.
I got big speakers or something.
You want me to go back two slides?
No.
Okay.
I'm gonna keep going,
but I'll just try to keep this next to my mouth.
Okay.
So, best deal.
People are using it.
SGI's been shipping it on a bunch of their appliances,
which has been pretty cool.
They're Linux appliances, not their Irix ones.
I don't think they have any Irix appliances.
Mandrake Soft, kind enough to hire me,
go Mandrake Soft, woot woot,
is shipping it in their distro,
which is really cool.
So it's not,
it doesn't run at install time
because best deal takes a while to run
and asks a lot of questions
and they figure users would get annoyed by that
and that's cool,
but it's in there,
so if you've got a Mandrake 8 or later,
you just type interactive best deal
and boom, you're running it.
You know, you don't have to download it.
You don't have to put up with, like,
my RPM distribution method or whatever the hell.
HP has also developed three programmers
and I think a manager as well to, like,
well, the manager, I think,
is supposed to hold the programmers,
no, I'm not gonna say that.
I'm just kidding,
especially if the HP guy's in the room now.
HP's devoted some programmers
to help out with porting it,
so that, like, really rocks.
I'm really happy with that
because we're gonna work on HPUX
and we weren't gonna do that for a while
and they're helping out.
HP's doing some cool stuff in open source right now.
So I'm happy with that.
We think we've got a lot of users.
We really don't know how many.
The problem with finding out how many is
we've got one central site
and, like, everybody, like,
everybody pulls the files down
and distributes them elsewhere.
So we've got, it's going out through PacketStorm
and it's going out because, you know,
kiddies need secure systems too
and it's going out through
a bunch of different security sites.
So we're not sure how many people we've got.
We know the main site has seen
some huge number of downloads.
I think we saw, like,
50,000 through the main site at least.
I mean, we're at 100,000
but the tough thing is we don't know
how many people got each version.
So it's kind of crazy.
But a lot of people are using this,
which is really good.
So hopefully a lot more people will be using it
when it runs on HPUX and Solaris
and Debian and Slack.
And we'll see what comes next after that.
And some guy, like,
actually made it work on SUSE
but he hasn't given me any of his materials yet.
But we can raz him later.
Read the article.
Yeah.
Okay.
So Bastille will work on SUSE,
read the Linux journal article on it,
and, like, you know, it'll help.
I don't know.
Red Hat?
Anybody from Red Hat here?
Okay, yeah.
Anybody got a T-shirt?
Sorry.
So hopefully maybe Red Hat will, like,
will start using Bastille
or their own hardening script
or whatever the hell
and we'll get better defaults out of Red Hat.
Do we work on Wirex?
We work on Wirex.
The Immunix,
Immunix,
Wirex's Immunix distribution
is very close to Red Hat,
so it, like,
Greg sent us, like,
three-line,
a three-line patch that made it work on Wirex.
On Wirex's Immunix.
So yeah, we work there.
I dig Immunix.
As somebody who works for a vendor,
I probably shouldn't say anything more like
I really dig Immunix,
but it's pretty cool.
They do kernel stuff.
We do configuration stuff.
Combine the two,
it's pretty cool.
Um, history.
Bastille started out,
like,
originally they were gonna write,
they were gonna make a distribution from scratch,
hence the Bastille Linux name,
like Red Hat Linux,
Mandrake Linux.
So they were gonna make a distribution from scratch,
but, um,
that was a whole lot of work.
I mean,
a whole lot of work.
And they just couldn't keep up
and it was pretty discouraging
and it stunk.
So they said,
let's just make a script that turns Red Hat 6
into a decent operating sy-
I mean,
into a more secure operating system.
I'm having fun here.
I don't get to say this stuff
at any other conference.
so,
basically,
they said,
okay,
we'll write a hardening script.
Anybody got a hardening script?
And I kinda came out and said,
I,
I can write one.
Um,
so they let me,
which is cool.
So now we've,
we've been like,
we've been adding stuff.
We're gonna add some really cool stuff.
I'll talk about that later.
Um,
but it was a really,
it was a really simple,
really very,
very simple,
not so intelligent hardening script
that turned a fresh Red Hat 6 install
into something a whole lot better.
Okay?
I just installed Red Hat.
1.1,
um,
Jay sat down for like,
you know,
a few weeks
and coded up a new API
and did a whole bunch of work
and now,
at that point,
it started working on non-virgin systems.
Okay?
So,
you know,
you install Red Hat 6.
You sit alone for six months.
Um,
hopefully you left it unplugged
so it doesn't get rooted.
Um,
and then you run,
uh,
Bastille on it
and you get something a whole lot better.
Um,
we also added a bunch of stuff.
Like,
it's a whole lot easier
for people to extend it.
Like,
I've got some slides
that are gonna be on my site
in the next week
that'll tell you
how to write your own modules
if you want to
and then you can send them to me
and we'll include them in Bastille.
Um,
it's very extensible.
We put a cool configurator on it.
It's got a whole lot smarter.
It's got all kinds of cool features
like an undo
and it keeps track
of everything it's doing
and it'll tell you what it's doing
and,
and all kinds of cool stuff like that.
1.2,
we just released,
uh-oh,
this is a past slide.
Um,
1.2,
we just released,
um,
a few weeks ago
and,
it's cool because it's smart,
it's,
it's smarter.
It will,
like,
look at the state of your system
a little bit
and not do stuff
that it's really obvious.
It doesn't,
not ask you questions
that's really obvious
don't apply to you.
Um,
and that's gonna get even smarter.
Um,
and we got an X configurator
that I'll show you
when the,
when we're done with the slides.
Okay.
We're growing too.
Um,
we're gonna add more modules,
more content.
We got a bunch of people
who want to help with that.
Um,
at some point
we'll get decent documentation.
But right now
the script is its own documentation.
It does pretty well that way.
Um,
we're gonna run on more platforms.
I told you we're going after HPUX
with like,
you know,
with a,
uh,
with a quick pace.
And then,
uh,
Solaris is next.
Anybody here from Sun?
We're coming for you,
you bastards.
Yeah.
What about FreeBSD?
Oh,
boy.
Um,
FreeBSD's actually got
some interesting work going on
as far as security.
Um,
so I've kind of thought of them
as,
as,
uh,
not quite the,
the best next target.
Because FreeBSD,
in my mind,
is a whole lot better off.
I mean,
in my mind,
for a lot of reasons,
you're a lot better off
running FreeBSD than Solaris.
And I want to kind of make Solaris
a whole lot better.
So I'm,
I'm going up to Solaris right now.
But once the Solaris
and HPUX is done,
it's gonna be a whole lot easier
to look at FreeBSD.
In the meantime,
I'm not sure if somebody's,
if somebody's got solutions.
There's been some people
trying to work on that
for like,
two years.
I'm not sure where they're going.
I didn't really want to
step in their space
before taking some real time
to,
to see what shapes up.
Yeah.
Irix.
Um,
Irix,
we are,
uh,
we had a university offer
to help us to,
to donate a grad student
to,
to port to Irix.
And,
uh,
and they've kind of,
they kind of got,
they kind of backed off.
I think they lost their grad student
or something.
Um,
but we've thought about Irix.
And if somebody stepped up the plate
to help out with Irix,
I would,
uh,
yeah,
another question over there.
Who's,
I'm sorry?
.
The,
the,
yeah,
I know.
Center for Internet Security
has a Solaris hardening script
as well as a checker.
Yeah,
I do.
Um,
the,
the,
the,
the,
the,
the hardening script
is really kind of like beta.
Maybe it's alpha.
Um,
as far as,
as far as,
as far as the Center for Internet Security,
what it's doing is like,
it's doing a sub,
they're,
they're kind of checking
a subset of what Bastille does.
And what I think a,
a really good hardening script should do.
They're trying to look for minimum standards.
Um,
so,
they've also got a very,
very basic script
that Hal Pomerantz wrote.
Um,
and it will try to bring you up to compliance
with their,
with their standards.
I think that Bastille does a whole lot better job.
Um,
and honestly,
uh,
I'm involved with the Center for Internet Security.
I,
uh,
I wrote the tester.
Um,
so,
I think there's some,
there's some possibility we're gonna end up using Bastille.
Um,
that we're gonna see if we can,
if we can distribute Bastille
or make Bastille do the Center stuff.
I'm not sure.
I have no idea where that's going.
So,
that,
that quote is vaporware.
Um,
but,
yeah.
So Center for Internet Security's got stuff.
A bunch of people have stuff for Sun.
Okay,
there's Titan for Sun.
There's Yasp for Sun.
There's Jasp for Sun.
Okay,
each of them has,
some really strong points and some really weak points.
Um,
I think that,
uh,
they can use some competition.
I think honestly that I'm not really gonna try to push you all to go to Bastille for Solaris.
I mean,
use one of the things that have been around for a while.
There are established standards.
Feel free to use them.
However,
if you have a heterogeneous shop where you're running Bastille,
and you're running HP,
and you're running Solaris,
I mean,
if you're running,
I'm sorry,
if you're running Linux,
and you're running HP,
and you're running,
and you're running Solaris,
maybe writing one policy config file
and
might be kinda cool.
You know,
without having to figure out for each system.
So,
there's some use in Bastille being on Sun,
and there's some reasons to use something else.
Um,
and I'd be happy to explore that in Q and A later on.
Can somebody tell me what time it is?
My clock has stopped.
1240.
1240.
What's that?
Okay.
So
I wanted to,
I can either run through each,
all the features of Bastille,
what,
what we do.
Or I can show you you know,
I can show you one of the screenings,
screens
Who wants, you know, all those slides that tell you about what Bestial does?
Q&A and a slight demo?
Okay, there are a lot more people in this room.
Jay, get off the stage.
Jay, okay, cool, cool, I'm happy with that.
What do the rest of you want, man?
Air conditioning!
Yeah, yeah, I'm with you there.
Okay, I'm taking that vote again, damn it.
Who wants to see what Bestial does?
Bunch of slides.
Okay, we'll go through and say this is something Bestial does, here's why it doesn't.
Okay, who wants to see a demo and do a Q&A?
Okay, we're doing a demo and Q&A.
Thank you, guys.
What?
You want a beer?
Damn, this conference rocks!
Yeah, I was running PowerPoint.
Yeah, I was running PowerPoint.
Let's see.
For those of you that saw Bestial before, it's gotten a little prettier.
I'm going to see if I can see my own screen, because my laptop's not doing it.
Okay, so, yeah, this is the interface, and what you see on the left side of the screen,
what you see on that side of the screen is a list of modules.
Each of those has a certain number of questions and those actions.
So, like, the Apache module.
Obviously, hardens your FTP server.
No, the Apache module does the web server.
Y'all are falling asleep on me, I know it.
Okay, so, what you see is we've got a, on the right side, you've got a question and
explanation.
The question's the thing I wanted to ask you in the first place.
The explanation's all that stuff I figured I had to tell you, so that you could make
an informed choice.
Some people have thought the explanations are really one of the better parts of the
Bastille.
They're like, you know, I don't want to use a script to do all this stuff, I want to do
it by hand, but I'd sure as heck like to, you know, like to learn something without
having to read an entire book or whatever.
So, the explanations are really darn useful.
The nice thing about Bastille is that as you go through, it's not making changes until
you end.
And so, you know, you can read all the explanations and then quit out, you know?
Okay, so, let me pick a good example question.
What's that?
What are the defaults?
So, the question is, are the defaults all hardening steps?
In other words, if you just click enter, enter, enter, enter, or whatever, or, you know,
next, next, next, what happens?
What happens is that you get the defaults that I figure will keep Jay from getting yelled
at all the time.
Okay?
So, the defaults are not the most secure.
They're not like do everything.
Because if we do everything, we are going to fail.
We're going to piss, I don't know, 40%, 50% of the people off.
Maybe everybody.
Okay?
So, the idea is that we want to, we tried to set defaults.
We didn't want to set defaults.
We wanted to make you actually read each question and decide what was best for your system.
Because then you get the best security.
But living in a, living in an imperfect world, we said, okay, yeah, we'll make the defaults
that if you go through all the defaults, you probably won't bitch at Jay.
Because I get a whole lot of email about Bastille as it is.
And like answering the same question over and over about why Telnet's gone kind of sucks.
So, no.
The defaults are not all make the box unusable.
It's whatever I thought would not piss people off.
So, here's an example question.
It's not massively readable from the back, I'm sure.
It says, question, would you like to disable set UID status for mount and umount?
Okay?
So, who doesn't know what set UID is?
Oh, come on.
Somebody in this room.
Okay.
Set UID.
What it does is lets an ordinary user get full super user privileges.
They get the privileges of root just to run this one command.
It's really, an example here is that mounting and unmounting drives, everybody kind of figured
that you'd only want like root to mount and unmount drives.
And so, if you want to use mount and you mount, like if you want to mount a floppy drive or
CD-ROM drive, you might not be root.
You might just be like some user on the system.
Like, I'm letting you play Quake or whatever on my system.
And so, you want to mount the Quake CD-ROM.
So, the idea is that if, and what this question says is, mount and you mount are used for mounting
slash activating and unmounting, deactivating drives that are not automatically mounted
at boot time.
This can include floppy and CD-ROM drives.
Disabling set UID would still allow anyone with a root password to mount and unmount
drives.
Okay.
So, what you're saying is kind of like, yo, if this is a server that like no one's ever
walking up to and sticking floppies in, or at least no one that you want to stick floppies
in, then maybe you should turn off set UID.
And if you did this, you dodged an exploit because there was an exploit in mount that
gave somebody who had access to the box, I mean, who had local access on the system,
not physical, but local access on the system, they got root out of whatever user they had.
So, everyone all of a sudden starts to run home.
And find their exploit for mount.
But, yeah.
You can find the exploit.
I think it's on packet storm.
But, so we can, you know, we offered to shut this off.
You can kind of choose yes.
Question.
Yeah.
Question.
.
Good question.
Damn it.
So, the question was, when you run this, does it check what the default is?
What the state of the system is?
And then let you change it?
Or does it just look at the defaults?
Little bit of both.
What we do is we're not investigating the system to learn what the settings are right
now.
Okay.
What we're doing is letting you create, in essence, we're letting you create a policy
file.
So, we say we've got our default policy.
But if you load up a previous policy, you can edit that.
So, if you had a policy on your system, it brings up the current policy.
Which means if you ran Bastille once.
You change your mind about something.
Okay.
You run Bastille.
You change your mind.
You go back and you change something.
It does the right thing.
And it knows that you had the previous setting.
But right now, we're not investigating systems.
The reason that we're not going and investigating your system is that Linux Conf, Webmin, and
a bunch of other things try to do this configuration management magic.
And I think they suck.
And a lot of people think they suck.
And the more you learn about them, the more you think they suck.
So, I don't want to.
I don't want people to say Bastille sucks.
Except when they're just having fun or something.
You know?
I mean, I don't want people to say, yeah, you know, Bastille doesn't always work.
The way we say Linux Conf doesn't always work.
So, I'm not going there right now.
So, right now, the idea is we help you set a policy.
You create a policy file.
And you can push that across a system or even a thousand systems.
You can take that policy file and use it on a bunch of other systems that are similar enough.
I'd be prepared to evacuate you guys.
Okay.
So, that's what we're doing.
Cool?
Okay.
So, you go through and you answer questions.
If you guys want to see more of the questions, you just want to, like.
Okay.
Question.
What's that?
Yep.
Okay.
So, the question was, can we configure stuff on a per interface basis?
Can we say that Apache should only respond on eth0 but not eth1 or the other way around?
Or set Apache to only run on local interface?
Yes, we can do that for Apache.
We can do it for the stuff we can do it for.
And then we've got a firewall.
Individual machine firewall that will let you set which interfaces, you know, the machine will take Apache related traffic to.
If you can define what that is.
Yeah.
Question.
Is the firewall, did we write new Linux kernel firewalling from scratch?
No.
If you've got Linux 2.2, 2.4 with the associated IP chains binary or IP tables binary, we will run through a whatever, 300, 400 line firewall and just run IP chains, IP chains, IP chains commands or IP tables or whatever.
Yes.
.
It overwrites what you have.
The question was, does it overwrite your existing firewall?
Yes.
Again, it's really, really hard for a program to be smart enough to parse your current firewall and then make, you know, and then make additions to it that make sense unless it understands the firewall.
So, it's, we're making our own which gets you better security in general.
Another question.
.
Does it tell you what changes have been made or does it make the changes?
.
Well, the first answer to that is, as you're reading through, you kind of find out what you're doing.
You know, we just, we just took, we just took set UID off ping.
But we also have a log file that tells you everything that it did.
If you're, if you're a Perl programmer, it makes more sense.
But, you know, or if you're at least a system and it makes more sense, newbies can maybe figure it out.
So, yeah, we kind of, we're working on that.
Mick.
.
.
Wow, that's a lot easier.
One of the reasons that I was able to get Bastille to run on SUSE without very much effort at all was because of the rather high level of quality logging that Bastille does.
And so, what, all that I had to do was go through that log after, after running the policy script and seeing what failed and why.
And in most cases, it was just a matter of some config file not being where it would be.
So, I had to do it in, say, Red Hat or, or in Mandrake.
And, you know, a lot of the differences between SUSE and, and those OSs kind of boils down to locations.
And then going through and tweaking the script itself.
And I'm by no means a Perl guru, but there's enough, you know, English in Bastille Linux scripts to customize them pretty equally.
And I think that's one of the big strengths.
So, you owe me a beer.
.
I forgot about my beer.
Okay, so, yeah, yeah, that was the answer.
There was another question?
Yeah?
.
There's an explain less button.
He wants an explain even more button.
Yeah, what we did was we said, we're going to, we wrote good explanations.
Then we said, oh, God, maybe some people want to get through this thing more quickly.
So, we made an explain less.
So, on a per-question basis, you can define, you can define how, you can define basically how good, how detailed the explanations are.
And that's a, that's a really useful thing.
Yeah, and explain even more.
Okay, so, yeah, plug time.
Explain even more means read my articles on Security Portal or, or go buy my book when it's done or something.
The other version of explain more is the best thing you can do for security.
One of the best freaking things you can do for security is to understand your system better.
Okay, if you, if you understand, if you, you can't really hack a system or you can't hack a system with your own script.
Unless you really understand how it works.
So, the better you can understand your system, the better you'll get at security.
There's a, yeah?
.
I'm sorry?
.
.
.
There's a very good suggestion.
We should include a relative threat level.
Say, this is something you can do.
If you don't do it, you're a fucking goner, man.
Or, this is kind of just something we think might be useful.
That would be a good idea.
It's, with hardening, you're really just trying to, you're just trying to get into a better state.
But, yeah, we can probably do that.
The tough thing is, what's the relative threat level of set UID mount?
Until the mount exploit comes out, I don't know.
.
What's that?
.
Oh, yeah.
If an exploit exists already, yeah, we can definitely do that, we can say.
We've thought about actually doing host-based vulnerability.
Like, just saying, hey, as long as we're poking around your system, let us tell you what's wrong with it.
You know?
And that might be something we do.
Yeah?
.
Expanding on the explain more, maybe another thought would be to mention particular man pages that would be helpful for newbies.
As to which?
.
Okay.
What he said was, expanding on the explain more, maybe we should start referencing man pages that these newbies should read.
Good idea.
Yeah, question?
.
Do we have a backup capability?
Yeah, I'm right with you.
We have a backup capability.
Every time, whenever you, when you first run Bastille, okay, when you first run Bastille, among other things, we make a backup of every single file we modify.
Okay?
They're in a directory called, like, var, log, Bastille, undo, backup.
And in there, what you'll see is, like, your Etsy password file is in a directory called Etsy in there.
So it's, like, you can actually use tar to go and undo the backup.
Or you can just run our fancy-schwancy undo program.
So, yeah, we'll take you right back to where you were.
It's, like, a, it's not a really refined go back, but it's, like, a big red button.
Like, I just ran Bastille and everything's all fucked up.
So, you know, I hit a big red button and it all comes back.
People use this thing a lot when they misconfigure their firewall.
Yeah, another question.
What are my feelings on sudo?
Okay, sudo is used in place of, like, there are a couple things you can do with set UID programs or whatever.
You can take a set UID program and set it so it's not world executable.
It's only executable by a group.
And then put a bunch of people in that group.
So you might have a group called pingers.
You know, people are allowed to use ping as, people are allowed to use ping as root.
I like sudo.
Sudo is cool.
Okay?
Sudo lets you do the same kind of thing except it's got a lot more flexibility and a lot more built-in security.
It's nice.
Sudo is a nice option.
I think everyone should go and read about sudo.
Go read about sudo.
Go check it out.
It's really useful.
If you are an assistant administrator in this room and you've got people helping you, you've got, like, you know, little kids or whatever, like staff or something, you need sudo.
Okay?
It lets you delegate, it lets you delegate certain tasks to somebody without giving them the root password.
So instead of my sysadmin, like, you know, a few years back, like, giving me the root password on all the systems, he could have, like, just given me, like, sudo permission to just do the stuff I needed to do, you know, like swap the tapes or something.
So sudo is really cool.
I like sudo.
What's the security implications of keeping all the backup files?
Does that open up another local exploit?
What about the security implications of keeping all those backup files, those undo files on the system?
Does it open up another exploit?
You're too paranoid, boy.
Not really.
Because to read that stuff, you've got to be root.
Like, we set the permissions well.
And if you're root already, you know, if you can read those files, if you can read the backup, the old files, you can basically read the current ones.
So, you know, we're not really, it's not really, like, a problem.
So, you know, I think sudo is a great way to do it.
You haven't won anything. So, it's, no, it shouldn't be a problem.
It shouldn't be a problem. Yeah, question back there.
Male Speaker 1 in audience 2 speaking
Male Speaker 1 in audience 2 speaking
Male Speaker 1 in audience 2 speaking
Ooh, I like this question. So, both from the user community
and developers who want to get involved, what can you do to help?
Okay, so if you're a pro programmer and you've got
some part of the system that we're not currently hardening and you'd like to write a script,
Samba would be really good. I'd love to see if somebody could do some good Samba,
a good Samba, like, configurator for better security.
The best thing you can do is go and read the slides I'm going to put up on my website from a talk I gave last week
in Bordeaux called Hacking Bastille Modules.
And that'll help you create, you know, your own modules. So, you know,
get in and, like, send me an email and say,
I want to do this, and we'll start talking, and you can make your own module.
If you're a user, there's lots of areas you can help. One of them is testing. We could really
use some good testing. It's surprising, you know, how hard it is
to hold onto testers, but people get kind of bored. So,
yeah, we could use testers. People who have VMware are amazingly useful.
We can use people who can
write or clean up our documentation. We can use people
who can run Bastille on a system and then see what
and, you know, we can use hackers. We can use people who can run Bastille on a system and see what they can
still do to it to send us an email and say,
I rooted the Bastille box. You know, like, I'd find that very useful. I'd like some
research. So, whatever you can think of that you think you could donate to this
project in terms of time, energy, and thoughts,
yeah, you probably can. Future
speaker. How many minutes do I have left? Oh. How many minutes do I have left? What time is it?
1256. I got four minutes.
When's my book coming out? Books take a long time to write
and then a long time to publish in maybe a year. Maybe six months, but it depends on how quickly
I write. Yeah.
With 2.4 kernel, okay, with the 2.4 kernel in
place of IP chains, we're having IP
tables in place of IP chains. What is that bias? Much
better firewalling, damn it. Among other things,
FTP is a bitch to firewall when you've got a stateless packet filter
and it's a whole lot easier to firewall when you've got a
stateful packet filter. 2.4's packet filter is stateful.
It's just a whole lot smarter, okay? It's just
really good and if there's no other questions, I'll go on and on about it, but
stateful packet filtering rocks and we take advantage of it and we'll take advantage of more
of the cool features like MAC address filtering or whatever. So, yeah,
we'll get there. It's cool. Yeah.
.
.
. I'm sorry?
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
. .
. .
. .
. .
. .
. .
. .
. . .
. . .
. . .
users or box owners deploying it on their box. Whatever. It's all good. It's very, very useful
everywhere. You know? I don't know. Another question. What time is it? Four. Hold on. Last
question. What's that? How do you feel about having a modulized kernel versus a monolith?
Oh, shit. A kernel module question. It would be really cool to figure out exactly what you
want on your kernel and build it and not have the capability to load modules. That would be
really useful because then we don't have to worry about module like rootkit so much. But
otherwise, that's all I got to say. Okay. I am done.
